{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-36874", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-05-10T20:04:09.909Z", "dateReserved": "2026-04-06T00:00:00.000Z", "datePublished": "2026-04-13T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-13T12:16:56.807Z"}, "descriptions": [{"lang": "en", "value": "Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load_student.php."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/Thirtypenny77/bug_report/blob/main/sourcecodester/basic-library-system/SQL-3.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T20:28:18.210845Z", "id": "CVE-2026-36874", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-10T20:04:09.909Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-36874", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T20:28:18.210845Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T20:42:51.672Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/Thirtypenny77/bug_report/blob/main/sourcecodester/basic-library-system/SQL-3.md"}], "descriptions": [{"lang": "en", "value": "Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load_student.php."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-13T12:16:56.807Z"}}}, "cveMetadata": {"cveId": "CVE-2026-36874", "state": "PUBLISHED", "dateUpdated": "2026-05-10T20:04:09.909Z", "dateReserved": "2026-04-06T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-13T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:razormist:basic_library_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F93EAAD-3EF5-4565-8C51-7AEBA905A0CD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load_student.php."}], "id": "CVE-2026-36874", "lastModified": "2026-05-10T21:16:29.007", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-13T13:16:41.673", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Thirtypenny77/bug_report/blob/main/sourcecodester/basic-library-system/SQL-3.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "basic_library_system", "vendor": "sourcecodester"}], "analysis": {"en": {"generated_at": "2026-04-14T18:26:14.306020+00:00", "value": {"mitigation_remediation": ["Review and sanitize all user input parameters in load_student.php before including them in SQL statements.", "Implement parameterized queries or prepared statements to eliminate injection vectors.", "If possible, upgrade to a newer version of the application where the issue has been fixed, or patch the code directly.", "Restrict access to the load_student.php endpoint, limiting it to authorized users only.", "Monitor application logs for suspicious query attempts and consider web\u2011application firewall rules to block injection patterns."], "summary": {"action": "Apply Patch", "impact": "Database compromise via SQL injection"}, "threat_synthesis": {"affected_systems": "Affected systems include the Sourcecodester Basic Library System open\u2011source application version 1.0. The vulnerability resides in the public web script /librarysystem/load_student.php. If the system is deployed in a production environment where the script is reachable, all users accessing this endpoint are at risk. No other versions or builds are listed as affected, but any deployment of 1.0 remains vulnerable until changes are made.", "description_and_impact": "The vulnerability is an SQL Injection in the load_student.php endpoint of Basic Library System v1.0. The flaw allows an attacker to inject arbitrary SQL statements through unsanitized user\u2011supplied input, potentially retrieving, modifying, or deleting data from the underlying database. This weakness aligns with CWE\u201189, where improper validation of SQL query parameters leads to unauthorized database access. The impact is the loss of data confidentiality, integrity, and availability, depending on the attacker\u2019s goals, because credentials or library records could be exposed or altered.", "risk_and_exploitability": "The CVSS score of 2.7 indicates a low severity, suggesting limited impact when restricted to a single user context. EPSS is below 1\u202f%, implying low market exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog, so no known active exploitation. However, the attack vector is inferred to be local or remote through web submission of crafted input; the description does not explicitly state the required conditions, so it is assumed the attacker can reach the endpoint via HTTP requests. With no public exploit code available, exploitation remains theoretically possible but not actively observed."}}}}, "created": "2026-04-13T14:27:00.116588+00:00", "title": "SQL Injection in Basic Library System Load Student Script", "updated": "2026-04-15T15:45:07.544205+00:00", "vendors": ["sourcecodester", "sourcecodester$PRODUCT$basic_library_system"]}